Transcription
HyTrust Product Applicability GuideFor Federal Risk and Authorization Management Program (FedRAMP)VMware Compliance Reference Architecture FrameworkHyTrust Addendum to theVMware Product Applicability GuideForFederal Risk and Authorization ManagementProgram (FedRAMP) version 1.0August 2014Product Applicability Guide – HyTrust Addendum
VMware Compliance Reference Architect FrameworkHyTrust AddendumTable of ContentsEXECUTIVE SUMMARY . 3INTRODUCTION . 4OFFICIAL FEDRAMP GUIDANCE AS IT APPLIES TO CLOUD ENVIRONMENTS . 5CLOUD COMPUTING.10WHERE TO START – CONSIDERATIONS FOR SYSTEM OWNERS, IT AND ASSESSORS .12GUIDANCE FROM THE FEDERAL RISK AUTHORIZATION MANAGEMENT PROGRAM .13HYTRUST TECHNOLOGIES AND FEDRAMP .14HYTRUST FEDRAMP REQUIREMENTS MATRIX (OVERVIEW) .15HYTRUST BOOT ATTESTATION SERVICE WITH INTEL TXT .15INTEL TXT .15FEDRAMP REQUIREMENTS MATRIX (BY HYTRUST PRODUCT) .16HYTRUST CLOUDCONTROL .16HYTRUST DATACONTROL.21Product Applicability Guide – HyTrust Addendum2
VMware Compliance Reference Architect FrameworkHyTrust AddendumEXECUTIVE SUMMARYThe Federal Risk Authorization and Management Program (FedRAMP) was created to provide a streamlined andstandardized process along with a “do once, use many times” approach to the authorization of commercial cloud services.This program enables US Government agencies to take full advantage of the benefits of migrating their IT assets andinfrastructure to the cloud, as they work to meet the goals of the Federal Cloud Computing Strategy published by the WhiteHouse in February 2011. FedRAMP, which is governed by a Joint Authorization Board (JAB) that consists ofrepresentatives from the Department of Homeland Security (DHS), the General Services Administration (GSA), and theDepartment of Defense (DoD) is also endorsed by the U.S. government’s CIO Council including the Information Securityand Identity Management Committee (ISIMC).The FedRAMP program provides an avenue for Cloud Service Providers (CSPs) to obtain a provisional Authority toOperate (p-ATO) after undergoing an independent third-party security assessment that has been reviewed by the JAB, orby a sponsoring Agency. By assessing security controls on candidate platforms, and providing P-ATOs on platforms thathave acceptable risk, FedRAMP significantly reduces the time and cost to agencies by removing the assessment andauthorization requirements of the underlying cloud vendor services on a system-by-system basis. This minimizes the workeach Consumer of FedRAMP Cloud resources must undergo to receive an actual ATO for the workloads runningapplications that process sensitive data and transactions.For these reasons HyTrust has enlisted its Audit Partners such as Coalfire, a FedRAMP-approved 3rd Party AssessmentOrganization (3PAO), to engage in a programmatic approach to evaluate HyTrust products and solutions for FedRAMPcontrol capabilities and then to document these capabilities into a set of reference architecture documents. The first ofthese documents in the FedRAMP Reference Architecture set is this document, the Product Applicability Guide, whichcontains a mapping of the HyTrust products and features that should be considered for implementing FedRAMP controls.The next two documents in the FedRAMP Reference Architecture set are the Architecture Design Guide and the ValidatedReference Architecture. For more information on these documents and the general approach to compliance issues pleasereview VMware's Approach to Compliance.This study investigated different HyTrust applications available to organizations that use (or are considering using) VMwarebased virtualization and cloud services to support a FedRAMP compliant environment. To that end, Coalfire highlighted thespecific FedRAMP requirements these applications (partially) address or should be considered in an evaluation of the initialsourcing of technologies to build a FedRAMP compliant environment. The controls selected for this paper are from theNIST SP 800-53 Rev3 and the FedRAMP Security Controls Baseline. It has been reviewed and authored by our staff ofFedRAMP auditors in conjunction with HyTrust.This Product Applicability Guide Addendum builds upon the base VMware control mapping and alignment for FedRAMP1.0, which is documented in the VMware Product Applicability Guide for FedRAMP 1.0 on the VMware SolutionsExchange.If you have any comments regarding this whitepaper, we welcome any feedback at vmware@coalfire.com or compliancesolutions@vmware.com.Product Applicability Guide – HyTrust Addendum3
VMware Compliance Reference Architect FrameworkHyTrust AddendumINTRODUCTIONCompliance and security continue to be top concerns for organizations that plan to move any or their entire enterprisecomputing environment to the cloud. HyTrust helps organizations address these challenges by providing bundled solutions(suites) that are designed for specific use cases. These use cases address questions like “How can I be FedRAMPcompliant in a HyTrust supported vCloud hosting environment?” by providing helpful information for Virtualizationarchitects, the compliance community, and third parties.The FedRAMP compliant Public Cloud Use Case (See section on Cloud Computing in this document for Cloud Use Cases)is focused on the vCloud Service Provider intending to operate a FedRAMP compliant Public Cloud. Due to the nature ofthe Public Cloud Use Case this document is primarily concerned with guiding readers in the assembly of HyTrustcomponents within the 'Provider' layer. This layer is comprised of HyTrust CloudControl and HyTrust DataControl. Theseproduct suites are described in detail in this paper and in the aforementioned subsequent companion documents. The usecase also provides readers with a mapping of the specific FedRAMP controls to HyTrust’s product suite. While every cloudis unique, HyTrust, VMware and their partners can provide a solution that addresses over 19% of FedRAMP Moderaterequirements with 70% of coverage among technical and operational controls.FedRAMP is based on the NIST SP 800-53 Rev3 set of controls. While this document is intended to provide guidancesolely within the Public Cloud Use Case it can also be beneficial to those who seek guidance on building a FISMAModerate (NIST SP 800-53 Rev3) Private Cloud environment. Another version of the Reference Architecture writtenspecifically for the FISMA Moderate Private Cloud Use Case is expected to be released later in 2014.Due to the commonalities of the HyTrust products and features across all of the Cloud Use Cases, understanding theirrelationship to the seventeen FedRAMP control areas is fundamental and most broadly accommodated in this documentwith more Use Case specific guidance represented in the Architecture Design Guide. Regardless of the Use Case oroperating environment model the FedRAMP control areas represent a broad-based, balanced, information securityprogram that addresses the management, operational, and technical aspects of protecting federal information andinformation systems. The management, operational, and technical controls (i.e., safeguards or countermeasures) areprescribed for an information system in order to protect the confidentiality, integrity, and availability of the system and itsinformation. The operational security controls are implemented and executed primarily by people (as opposed to systems).The management controls focus on the management of risk and the management of information system security. Thetechnical security controls are implemented and executed primarily by the information system through mechanismscontained in the hardware, software, or firmware components of the system.A comprehensive assessment of the management, operational and technical controls that have been selected for the“information system” is required as part of the authorization process. This assessment must determine the extent to whichall selected controls are implemented correctly, operating as intended, and producing desired outcomes with respect tomeeting the security requirements for the system. An understanding of both FISMA Moderate and FedRAMP controls asimplemented with VMware, HyTrust and their Technology Partners' solutions lends itself to harmonizing the ongoingcompliance of the private cloud environment but also the shared responsibility for compliance in the public cloudenvironment. This common set of well-understood policies and procedures implemented in a common HyTrust Softwareacross Private and Public Cloud enables not only the Hybrid Cloud to become reality but opens up tremendousopportunities for tighter control and agility with regard to the principles put forth in the Continuous Diagnostics andMitigation program as outlined by Department of Homeland Security.Product Applicability Guide – HyTrust Addendum4
VMware Compliance Reference Architect FrameworkHyTrust AddendumFigure 1: VMware and Partner Product Capabilities for a VMware-based Trusted CloudOFFICIAL FEDRAMP GUIDANCE AS IT APPLIES TO CLOUDENVIRONMENTSThe Federal Risk Authorization Management Program (FedRAMP) is the result of close collaboration with cybersecurityand cloud experts from GSA, NIST, DHS, DOD, NSA, OMB, the Federal CIO Council and its working groups, as well asprivate industry. The goal is to provide a streamlined process for the security assessment and authorization of commercialcloud services. This process allows a single Provisional Authorization (p-ATO) of the cloud service offering to be leveragedby any federal agency without requiring them to re-assess the hosting infrastructure on a per-system basis.CSPs must implement the FedRAMP security requirements in their environment and hire a FedRAMP-approved third partyassessment organization (3PAO) to perform an independent assessment to audit the cloud system and provide a securityassessment package for review. In order to maintain a Provisional Authorization the cloud service provider mustimplement a continuous monitoring program. This is critical to ensuring the security controls outlined in the NIST SP 80053 Rev3 controls and the additional FedRAMP parameters are effectively implemented.The FedRAMP security controls baseline is based on the NIST SP 800-53 Rev3 controls that provide detailedManagement, Operational and Technical control guidance for meeting the security requirements established by FederalInformation System Management Act (FISMA). In addition to the FISMA compliance requirements outlined in the NISTcontrols baseline, FedRAMP requirements have been written for key controls and control enhancements.Product Applicability Guide – HyTrust Addendum5
VMware Compliance Reference Architect FrameworkHyTrust AddendumTable 1: FedRAMP Controls BaselineNIST 800-53Rev3 CONTROLFAMILYIDENTIFIERSNIST 800-53 Rev3 CONTROL FAMILYCLASSFEDRAMPMODERATEBASELINE*ACAccess ControlTechnical17(24)ATAwareness and TrainingOperational4AUAudit and AccountabilityTechnical12(9)CACertification, Accreditation, and Security AssessmentManagement6(2)CMConfiguration ManagementOperational9(12)CPContingency PlanningOperational9(15)IAIdentification and AuthenticationTechnical8(10)IRIncident )MPMedia ProtectionOperational6(5)PEPhysical and Environmental ersonnel SecurityOperational8RARisk AssessmentManagement4(5)SASystem and Services AcquisitionManagement12(7)SCSystem and Communications ProtectionTechnical24(16)SISystem and Information IntegrityOperational12(9)*-The number in parentheses in the last column includes the control enhancements required by the FedRAMP ModerateBaselineFor Cloud Service Providers, deploying and maintaining an infrastructure that meets the requirements established in theNIST and FedRAMP baseline requires centralized management and control of all components including virtualapplications, platforms, and network devices.The Federal Risk Authorization Management Program (FedRAMP) specifically began providing formalized guidance forcloud and virtual environments in June, 2012. These guidelines were based on industry feedback, rapid adoption ofvirtualization technology, and the move to cloud.Product Applicability Guide – HyTrust Addendum6
VMware Compliance Reference Architect FrameworkHyTrust AddendumFigure 2: Official guidance on security in FedRAMP Cloud environmentsNIST 800-53The objective of NIST Special Publication 800-53 is to provide a set of security controls that can satisfy the breadth anddepth of security requirements levied on information systems and organizations and that is consistent with andcomplementary to other established information security standards.The catalog of security controls provided in Special Publication 800-53 can be effectively used to demonstrate compliancewith a variety of governmental, organizational, or institutional security requirements. It is the responsibility of organizationsto select the appropriate security controls, to implement the controls correctly, and to demonstrate the effectiveness of thecontrols in satisfying their stated security requirements. The security controls in the catalog facilitate the development ofassessment methods and procedures that can be used to demonstrate control effectiveness in a consistent and repeatablemanner—thus contributing to the organization’s confidence that there is ongoing compliance with its stated securityrequirements.The NIST 800-53 presents the fundamental concepts associated with security control selection and specification including:(i) the structure of security controls and the organization of the controls in the control catalog; (ii) security control baselines;(iii) the identification and use of common security controls; (iv) security controls in external environments; (v) securitycontrol assurance; and (vi) future revisions to the security controls, the control catalog, and baseline controls. Securitycontrols described in this publication have a well-defined organization and structure. For ease of use in the security controlselection and specification process, controls are organized into eighteen families. Each security control family containssecurity controls related to the security functionality of the family. In addition, there are three general classes of securitycontrols: management, operational, and technical.FedRAMPCloud computing technology allows the Federal Government to address demand from citizens for better, faster servicesand to save resources, consolidate services, and improve security. The essential characteristics of cloud computing -- ondemand provisioning, resource pooling, elasticity, network access, and measured services -- provide the capabilities foragencies to dramatically reduce procurement and operating costs and greatly increase the efficiency and effectiveness ofservices.Agencies have realized the benefits of this technology and are integrating it into their information technology environment.On December 9, 2010; the Office of Management and Budget (OMB) released the 25 Point Implementation Plan to ReformFederal Information Technology Management, establishing the Cloud First policy and requiring agencies to use cloudbased solutions whenever a secure, reliable, cost-effective cloud option exists. The Federal Risk and AuthorizationProduct Applicability Guide – HyTrust Addendum7
VMware Compliance Reference Architect FrameworkHyTrust AddendumManagement Program (FedRAMP) was established by a memorandum issued by OMB on December 8, 2011, SecurityAuthorization of Information Systems in Cloud Computing Environments (FedRAMP Policy Memo) to provide a costeffective, risk-based approach for the adoption and use of cloud services. A key element to successful implementation ofcloud computing is a security program that addresses the specific characteristics of cloud computing and provides the levelof security commensurate with specific needs to protect government information. Effective security management must bebased on risk management and not only on compliance. By adhering to a standardized set of processes, procedures, andcontrols, agencies can identify and assess risks and develop strategies to mitigate them.The purpose of FedRAMP is to: Ensure that cloud based services have adequate information security; Eliminate duplication of effort and reduce risk management costs; and Enable rapid and cost-effective procurement of information systems/services for Federal agenciesFedRAMP was developed in collaboration with the National Institute of Standards and Technology (NIST), the GeneralServices Administration (GSA), the Department of Defense (DOD), and the Department of Homeland Security (DHS).Many other government agencies and working groups participated in reviewing and standardizing the controls, policies andprocedures. The major participants in the FedRAMP process are: Federal agency customer –has a requirement for cloud technology that will be deployed into its securityenvironment and is responsible for ensuring FedRAMP compliance Cloud Service Provider (CSP) –is willing and able to fulfill agency requirements and to meet security requirements Joint Authorization Board (JAB) –reviews the security package submitted by the CSP and grants a provisionalAuthority to Operate (ATO) 3rd Party Assessor Organization (3PAO) –validates and attests to the quality and compliance of the CSP providedsecurity package FedRAMP Program Management Office (PMO) –manages the process assessment, authorization, andcontinuous monitoring processA CSP follows the process for a provisional authorization under FedRAMP and uses a 3PAO to assess and review itssecurity control implementations. CSPs then provide documentation of the test results in a completed assessment packageto the FedRAMP PMO. The security package is then reviewed by the JAB and if a CSP system presents an acceptablelevel of risk, a provisional Authorization is granted. Agencies can then leverage the Provisional ATO and grant their ownATO without conducting duplicative assessments.FedRAMP Continuous Monitoring Strategy & GuideFedRAMP assessment process requires that monitoring activities be conducted continuously, quarterly, annually, everythree years and every five years. These activities include required activities from the CSP and required activities of a3PAO. The continuous monitoring program under FedRAMP is designed to provide more transparency into the ongoingsecurity posture of the authorized cloud environment or service environment is acceptable.The OMB memorandum M-10-15, issued on April 21, 2010, changed from static point-in-time sec
This Product Applicability Guide Addendum builds upon the base VMware control mapping and alignment for FedRAMP 1.0, which is documented in the VMware Product Applicability Guide for FedRAMP 1.0 on the VMware Solutions Exchange. If you have any comments regarding this whitepaper, we welcome any feedba
